COM referral responses from root without glue and TC bit

Fri Jan 12 19:25:15 UTC 2024

Hi dns operators,

While investigating a production issue, we found the following
interesting response from some root name servers.

Note: query does not use EDNS0; response does not set TC bit and has no glue.

$ dig @m.root-servers.net
kcmbrvwjafupdyztdq2ifvi6ye7fcacaaben6jaavmoaaaeqnqaaa2qaaaanh7j.a5erjsqwn7zic34e7psoufcfue6rsznpw34cx57gjhhqqj6edwr6o57wikagcdv.ard6pjajyuo6kmpbm6ohbbjppyhmkivhxxmgqgb5xjpl2cvvlzo34erwypot4fw.lh4aa5rzkni7yihszvyxxw43w4aa3cysaws7jtjg.dns.uas-1.optnl.com
+noedns +ignore

; <<>> DiG 9.10.6 <<>> @m.root-servers.net
kcmbrvwjafupdyztdq2ifvi6ye7fcacaaben6jaavmoaaaeqnqaaa2qaaaanh7j.a5erjsqwn7zic34e7psoufcfue6rsznpw34cx57gjhhqqj6edwr6o57wikagcdv.ard6pjajyuo6kmpbm6ohbbjppyhmkivhxxmgqgb5xjpl2cvvlzo34erwypot4fw.lh4aa5rzkni7yihszvyxxw43w4aa3cysaws7jtjg.dns.uas-1.optnl.com
+noedns +ignore
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44314
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;kcmbrvwjafupdyztdq2ifvi6ye7fcacaaben6jaavmoaaaeqnqaaa2qaaaanh7j.a5erjsqwn7zic34e7psoufcfue6rsznpw34cx57gjhhqqj6edwr6o57wikagcdv.ard6pjajyuo6kmpbm6ohbbjppyhmkivhxxmgqgb5xjpl2cvvlzo34erwypot4fw.lh4aa5rzkni7yihszvyxxw43w4aa3cysaws7jtjg.dns.uas-1.optnl.com.
IN A

;; AUTHORITY SECTION:
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.

;; Query time: 180 msec
;; SERVER: 2001:dc3::35#53(2001:dc3::35)
;; WHEN: Fri Jan 12 13:19:56 EST 2024
;; MSG SIZE  rcvd: 497
========================

We confirmed similar behavior from some of the other root operators.

for s in a b c d e f g h i j k l m; do echo -n ${s} && (dig
@${s}.root-servers.net
kcmbrvwjafupdyztdq2ifvi6ye7fcacaaben6jaavmoaaaeqnqaaa2qaaaanh7j.a5erjsqwn7zic34e7psoufcfue6rsznpw34cx57gjhhqqj6edwr6o57wikagcdv.ard6pjajyuo6kmpbm6ohbbjppyhmkivhxxmgqgb5xjpl2cvvlzo34erwypot4fw.lh4aa5rzkni7yihszvyxxw43w4aa3cysaws7jtjg.dns.uas-1.optnl.com
+noedns +ignore | grep flags); done

a;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
b;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
c;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
d;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
e;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
f;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
g;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
h;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
i;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
j;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
k;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
l;; flags: qr tc rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
m;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
==========================

While the above is a somewhat contrived example in 2023 (with larger
UDP bufsize and qname minimization), there can still be other
scenarios where a referral response with in-bailiwick name servers
does not fit in the available bufsize. The problem while rare for root
can be a bigger issue since root does provide glue for most if not all
delegations.

Question for root server operators: can the responses be fixed to set
TC bit when glue is dropped?

In general relevant name server software vendors should also fix this
but will take time to be deployed by operators.

Relevant text from RFC 9471 abstract: If message size constraints
prevent the inclusion of all glue records for in-domain name servers,
the server must set the TC (Truncated) flag to inform the client that
the response is incomplete.

Thanks,
Puneet